[....] Starting enhanced syslogd: rsyslogd[   11.275822] audit: type=1400 audit(1513628033.656:5): avc:  denied  { syslog } for  pid=2990 comm="rsyslogd" capability=34  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
Starting mcstransd: 
[....] Starting file context maintaining daemon: restorecond[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   17.240828] audit: type=1400 audit(1513628039.621:6): avc:  denied  { map } for  pid=3129 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.58' (ECDSA) to the list of known hosts.
executing program
[   23.480082] audit: type=1400 audit(1513628045.860:7): avc:  denied  { map } for  pid=3143 comm="syzkaller987613" path="/root/syzkaller987613502" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[   23.512362] ==================================================================
[   23.519729] BUG: KASAN: use-after-free in handle_userfault+0x21c1/0x24c0
[   23.526533] Read of size 8 at addr ffff8801c8c86da0 by task syzkaller987613/3150
[   23.534030] 
[   23.535625] CPU: 0 PID: 3150 Comm: syzkaller987613 Not tainted 4.15.0-rc4+ #137
[   23.543038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   23.552359] Call Trace:
[   23.554915]  dump_stack+0x194/0x257
[   23.558511]  ? arch_local_irq_restore+0x53/0x53
[   23.563147]  ? show_regs_print_info+0x18/0x18
[   23.567611]  ? find_held_lock+0x35/0x1d0
[   23.571643]  ? handle_userfault+0x21c1/0x24c0
[   23.576107]  print_address_description+0x73/0x250
[   23.580918]  ? handle_userfault+0x21c1/0x24c0
[   23.585388]  kasan_report+0x25b/0x340
[   23.589165]  __asan_report_load8_noabort+0x14/0x20
[   23.594061]  handle_userfault+0x21c1/0x24c0
[   23.598355]  ? __lock_is_held+0xb6/0x140
[   23.602392]  ? userfaultfd_ioctl+0x4520/0x4520
[   23.606945]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.612111]  ? rcu_read_lock_sched_held+0x108/0x120
[   23.617102]  ? __alloc_pages_nodemask+0xadb/0xd80
[   23.621918]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   23.626904]  ? depot_save_stack+0x3b5/0x490
[   23.631199]  ? save_stack+0xa3/0xd0
[   23.634791]  ? save_stack+0x43/0xd0
[   23.638381]  ? kasan_kmalloc+0xad/0xe0
[   23.642232]  ? kasan_slab_alloc+0x12/0x20
[   23.646345]  ? kmem_cache_alloc+0x12e/0x760
[   23.650631]  ? ptlock_alloc+0x24/0x70
[   23.654410]  ? pte_alloc_one+0x59/0x100
[   23.658358]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   23.663600]  ? handle_mm_fault+0x334/0x8d0
[   23.667801]  ? __do_page_fault+0x5c9/0xc90
[   23.672049]  ? do_page_fault+0xee/0x720
[   23.675992]  ? page_fault+0x22/0x30
[   23.679593]  ? check_noncircular+0x20/0x20
[   23.683797]  ? check_noncircular+0x20/0x20
[   23.688005]  ? alloc_pages_current+0xbe/0x1e0
[   23.692477]  ? mm_get_huge_zero_page+0x12c/0x400
[   23.697203]  ? find_held_lock+0x35/0x1d0
[   23.701236]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   23.706477]  ? lock_downgrade+0x980/0x980
[   23.710596]  ? lock_release+0xa40/0xa40
[   23.714538]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   23.719521]  ? do_raw_spin_trylock+0x190/0x190
[   23.724075]  ? lockdep_init_map+0x9/0x10
[   23.728111]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   23.733189]  ? __thp_get_unmapped_area+0x130/0x130
[   23.738084]  ? __lock_acquire+0x664/0x3e00
[   23.742285]  ? __lock_acquire+0x664/0x3e00
[   23.746490]  ? lock_release+0xa40/0xa40
[   23.750440]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.755595]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   23.760751]  ? find_held_lock+0x35/0x1d0
[   23.764788]  ? finish_fault+0x1b4/0x2a0
[   23.768729]  ? lock_downgrade+0x980/0x980
[   23.772850]  ? do_swap_page+0x2c50/0x2c50
[   23.776970]  ? _cond_resched+0x14/0x30
[   23.780821]  ? __do_fault+0x2d5/0x30f
[   23.784587]  ? unlock_page+0x19f/0x270
[   23.788442]  ? wake_up_page_bit+0x530/0x530
[   23.792740]  ? check_noncircular+0x20/0x20
[   23.797375]  ? _raw_spin_unlock+0x22/0x30
[   23.801499]  __handle_mm_fault+0x1a0c/0x3ce0
[   23.805882]  ? __pmd_alloc+0x4e0/0x4e0
[   23.809742]  ? find_held_lock+0x35/0x1d0
[   23.813777]  ? handle_mm_fault+0x248/0x8d0
[   23.817980]  ? lock_downgrade+0x980/0x980
[   23.822115]  handle_mm_fault+0x334/0x8d0
[   23.826140]  ? down_read_trylock+0xdb/0x170
[   23.830429]  ? __do_page_fault+0x32d/0xc90
[   23.834631]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   23.839181]  ? vmacache_find+0x5f/0x280
[   23.843207]  ? vmacache_update+0xfe/0x130
[   23.847337]  ? find_vma+0x30/0x150
[   23.850847]  __do_page_fault+0x5c9/0xc90
[   23.854882]  ? mm_fault_error+0x2c0/0x2c0
[   23.858999]  ? __free_pages+0xd8/0x150
[   23.862862]  do_page_fault+0xee/0x720
[   23.866629]  ? __do_page_fault+0xc90/0xc90
[   23.870838]  ? syscall_return_slowpath+0x2ad/0x550
[   23.875734]  ? prepare_exit_to_usermode+0x340/0x340
[   23.880717]  ? retint_user+0x18/0x18
[   23.884402]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   23.889218]  page_fault+0x22/0x30
[   23.892635] RIP: 0023:0xf7fc3c79
[   23.895970] RSP: 002b:0000000020687000 EFLAGS: 00010296
[   23.901297] RAX: 0000000000000000 RBX: 0000000000000600 RCX: 0000000020687000
[   23.908534] RDX: 0000000020b4c000 RSI: 0000000020552ffc RDI: 00000000207a4f71
[   23.915768] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   23.923003] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   23.930246] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   23.937500] 
[   23.939097] Allocated by task 3148:
[   23.942692]  save_stack+0x43/0xd0
[   23.946111]  kasan_kmalloc+0xad/0xe0
[   23.949791]  kasan_slab_alloc+0x12/0x20
[   23.953737]  kmem_cache_alloc+0x12e/0x760
[   23.957856]  dup_userfaultfd+0x21c/0x890
[   23.961890]  copy_mm+0xa38/0x1310
[   23.965315]  copy_process.part.38+0x1eb9/0x4ac0
[   23.969951]  _do_fork+0x1ef/0xfb0
[   23.973374]  SyS_clone+0x37/0x50
[   23.976710]  do_fast_syscall_32+0x3ee/0xf9d
[   23.980997]  entry_SYSENTER_compat+0x51/0x60
[   23.985374] 
[   23.986968] Freed by task 3148:
[   23.990213]  save_stack+0x43/0xd0
[   23.993630]  kasan_slab_free+0x71/0xc0
[   23.997487]  kmem_cache_free+0x77/0x280
[   24.001426]  userfaultfd_ctx_put+0x50c/0x740
[   24.005797]  userfaultfd_event_wait_completion+0x86d/0xae0
[   24.011387]  dup_userfaultfd_complete+0x2de/0x480
[   24.016193]  copy_mm+0xe9b/0x1310
[   24.019622]  copy_process.part.38+0x1eb9/0x4ac0
[   24.024254]  _do_fork+0x1ef/0xfb0
[   24.027673]  SyS_clone+0x37/0x50
[   24.031005]  do_fast_syscall_32+0x3ee/0xf9d
[   24.035298]  entry_SYSENTER_compat+0x51/0x60
[   24.039668] 
[   24.041260] The buggy address belongs to the object at ffff8801c8c86c40
[   24.041260]  which belongs to the cache userfaultfd_ctx_cache of size 360
[   24.054753] The buggy address is located 352 bytes inside of
[   24.054753]  360-byte region [ffff8801c8c86c40, ffff8801c8c86da8)
[   24.066590] The buggy address belongs to the page:
[   24.071496] page:00000000d5bd414a count:1 mapcount:0 mapping:000000003fa120bd index:0xffff8801c8c86ff7
[   24.080904] flags: 0x2fffc0000000100(slab)
[   24.085106] raw: 02fffc0000000100 ffff8801c8c86000 ffff8801c8c86ff7 0000000100000009
[   24.092950] raw: ffff8801d6b35f48 ffff8801d6b35f48 ffff8801d6805000 0000000000000000
[   24.100795] page dumped because: kasan: bad access detected
[   24.106468] 
[   24.108063] Memory state around the buggy address:
[   24.112956]  ffff8801c8c86c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.120282]  ffff8801c8c86d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.127607] >ffff8801c8c86d80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
[   24.134931]                                ^
[   24.139302]  ffff8801c8c86e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.146624]  ffff8801c8c86e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.153944] ==================================================================
[   24.161266] Disabling lock debugging due to kernel taint
[   24.166912] Kernel panic - not syncing: panic_on_warn set ...
[   24.166912] 
[   24.174261] CPU: 0 PID: 3150 Comm: syzkaller987613 Tainted: G    B            4.15.0-rc4+ #137
[   24.182974] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   24.192291] Call Trace:
[   24.194846]  dump_stack+0x194/0x257
[   24.198440]  ? arch_local_irq_restore+0x53/0x53
[   24.203075]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   24.207797]  ? vsnprintf+0x1ed/0x1900
[   24.211562]  ? handle_userfault+0x2160/0x24c0
[   24.216027]  panic+0x1e4/0x41c
[   24.219189]  ? refcount_error_report+0x214/0x214
[   24.223913]  ? add_taint+0x1c/0x50
[   24.227424]  ? add_taint+0x1c/0x50
[   24.230932]  ? handle_userfault+0x21c1/0x24c0
[   24.235391]  kasan_end_report+0x50/0x50
[   24.239329]  kasan_report+0x144/0x340
[   24.243096]  __asan_report_load8_noabort+0x14/0x20
[   24.247988]  handle_userfault+0x21c1/0x24c0
[   24.252276]  ? __lock_is_held+0xb6/0x140
[   24.256307]  ? userfaultfd_ioctl+0x4520/0x4520
[   24.260850]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.266007]  ? rcu_read_lock_sched_held+0x108/0x120
[   24.270994]  ? __alloc_pages_nodemask+0xadb/0xd80
[   24.275815]  ? __alloc_pages_slowpath+0x2d00/0x2d00
[   24.280795]  ? depot_save_stack+0x3b5/0x490
[   24.285087]  ? save_stack+0xa3/0xd0
[   24.288677]  ? save_stack+0x43/0xd0
[   24.292266]  ? kasan_kmalloc+0xad/0xe0
[   24.296384]  ? kasan_slab_alloc+0x12/0x20
[   24.300497]  ? kmem_cache_alloc+0x12e/0x760
[   24.304781]  ? ptlock_alloc+0x24/0x70
[   24.308545]  ? pte_alloc_one+0x59/0x100
[   24.312483]  ? do_huge_pmd_anonymous_page+0xc23/0x1b00
[   24.317724]  ? handle_mm_fault+0x334/0x8d0
[   24.321925]  ? __do_page_fault+0x5c9/0xc90
[   24.326124]  ? do_page_fault+0xee/0x720
[   24.330066]  ? page_fault+0x22/0x30
[   24.333664]  ? check_noncircular+0x20/0x20
[   24.337868]  ? check_noncircular+0x20/0x20
[   24.342072]  ? alloc_pages_current+0xbe/0x1e0
[   24.346537]  ? mm_get_huge_zero_page+0x12c/0x400
[   24.351261]  ? find_held_lock+0x35/0x1d0
[   24.355295]  ? do_huge_pmd_anonymous_page+0xe1f/0x1b00
[   24.360538]  ? lock_downgrade+0x980/0x980
[   24.364658]  ? lock_release+0xa40/0xa40
[   24.368597]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   24.373577]  ? do_raw_spin_trylock+0x190/0x190
[   24.378125]  ? lockdep_init_map+0x9/0x10
[   24.382158]  do_huge_pmd_anonymous_page+0xe2c/0x1b00
[   24.387235]  ? __thp_get_unmapped_area+0x130/0x130
[   24.392131]  ? __lock_acquire+0x664/0x3e00
[   24.396332]  ? __lock_acquire+0x664/0x3e00
[   24.400533]  ? lock_release+0xa40/0xa40
[   24.404477]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.409630]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   24.414787]  ? find_held_lock+0x35/0x1d0
[   24.418819]  ? finish_fault+0x1b4/0x2a0
[   24.422759]  ? lock_downgrade+0x980/0x980
[   24.426873]  ? do_swap_page+0x2c50/0x2c50
[   24.430988]  ? _cond_resched+0x14/0x30
[   24.434844]  ? __do_fault+0x2d5/0x30f
[   24.438613]  ? unlock_page+0x19f/0x270
[   24.442470]  ? wake_up_page_bit+0x530/0x530
[   24.446762]  ? check_noncircular+0x20/0x20
[   24.450960]  ? _raw_spin_unlock+0x22/0x30
[   24.455074]  __handle_mm_fault+0x1a0c/0x3ce0
[   24.459449]  ? __pmd_alloc+0x4e0/0x4e0
[   24.463304]  ? find_held_lock+0x35/0x1d0
[   24.467334]  ? handle_mm_fault+0x248/0x8d0
[   24.471532]  ? lock_downgrade+0x980/0x980
[   24.475656]  handle_mm_fault+0x334/0x8d0
[   24.479680]  ? down_read_trylock+0xdb/0x170
[   24.483969]  ? __do_page_fault+0x32d/0xc90
[   24.488169]  ? __handle_mm_fault+0x3ce0/0x3ce0
[   24.492731]  ? vmacache_find+0x5f/0x280
[   24.496670]  ? vmacache_update+0xfe/0x130
[   24.500785]  ? find_vma+0x30/0x150
[   24.504292]  __do_page_fault+0x5c9/0xc90
[   24.508321]  ? mm_fault_error+0x2c0/0x2c0
[   24.512434]  ? __free_pages+0xd8/0x150
[   24.516287]  do_page_fault+0xee/0x720
[   24.520055]  ? __do_page_fault+0xc90/0xc90
[   24.524258]  ? syscall_return_slowpath+0x2ad/0x550
[   24.529152]  ? prepare_exit_to_usermode+0x340/0x340
[   24.534132]  ? retint_user+0x18/0x18
[   24.537811]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   24.542621]  page_fault+0x22/0x30
[   24.546040] RIP: 0023:0xf7fc3c79
[   24.549371] RSP: 002b:0000000020687000 EFLAGS: 00010296
[   24.554699] RAX: 0000000000000000 RBX: 0000000000000600 RCX: 0000000020687000
[   24.561934] RDX: 0000000020b4c000 RSI: 0000000020552ffc RDI: 00000000207a4f71
[   24.569168] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   24.576402] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   24.583635] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   24.591294] Dumping ftrace buffer:
[   24.594797]    (ftrace buffer empty)
[   24.598472] Kernel Offset: disabled
[   24.602064] Rebooting in 86400 seconds..